|
|
|
Finjan Researchers Uncover Marketplace for Botnets
By: Brian Prince
2009-06-17
Article Rating: / 2
There are 0 user comments on this Network Security & Hardware story.
Researchers at Finjan outlined a sophisticated one-stop shop for cyber-criminals buying and trading in infected computers. Called Golden Cash, the network has been linked to the compromises of around 100,000 PCs and FTP credentials.Researchers at Finjan have
put the spotlight on a one-stop shop in the marketplace for malware-infected
machines.
In Finjans latest Cybercrime Intelligence
Report for 2009, the company outlines the operations of the Golden Cash
network, a one-stop shop trading platform for cyber-criminals trafficking in
compromised PCs. While the sale of bots in the cyber-criminal
underground is nothing new, the research shows the sophistication of
the marketplace for compromised computers. Bringing together buyers
and sellers of compromised
PCs, Golden Cash is involved in every part of the process,
from providing partners with attack toolkits to the actual sale and
purchase of machines.
On the buyer side of
things, batches of 1,000
malware-infected PCs can be purchased for between $5 and $100, depending on
the territory/country. Partners are paid for successfully distributing the bot
and collecting FTP credentials of legitimated Websites through the infected
machines.
Finjan analyzed the
affiliate network for two months and linked it to the compromises of around
100,000 PCs and FTP credentials. The company spotted around a few dozen people
using the platform, which researchers believe may be the work of the
RBN (Russian Business Network).
We believe they attempted
to compromise at least 1 million PCs to get the 100,000 accounts, Finjan
CTO Yuval Ben-Itzhak explained in an
interview with eWEEK. One of the servers in use is hosted in Russia. The group is also associated
with the SEO poisoning attacks Finjan reported on [in] the previous CI [Cybercrime
Intelligence] report we issued.
Once an attacker infects a
computer, the malware reports back to the Golden Cash Server and the attackers
account is credited. The first instruction sent to the infected users machine
is to install an FTP grabber to steal FTP credentials. The compromised machines
are then put up for sale.
More technical information
about the infection is available on the Finjan MCRC blog.
|
|
�������x}ks6*�Q3{L=RJv,ki;[CĘ"$8_N?q��G23N& �4�F�w?H�9wur&�k�}jx֢w>w߽��$Yf0TEK\Ϥ^=Am۟�@imMzΠN@\��~m@^c?³H,Ad-FF5��%SjMA]kf�{F}_f2z5o0�f��E1;F��6I�_MM9�J��D�ڥ���E!mG$oq}:[_x� pgL&^ʾ��**M"x<&j�>vT94q�r�_YoבnL*%�qRPٜ�*,%5M�
X�*ȉ#�"0�9X����
4gj
h��%�Z)m�2*�COgĕJV��Ȋ*ğl;^�S�8cO.`�?Y^~�揘�)zljt0Ϙ��R�eX�|iNti<琩{GDKar��?�_azaAz��&�2齅d&�GY�LV!-;cL����oWv�&K{�hL©(9
^ҋSM�h
���<5mV�AL��2�t�x增U��JxP?3L�eDfko�,D!',
9*e+)묓ܲP>Д
+,�k1.�I�/
uzS\�)9Aw���S9tNִ�/N)ZdXh6~���m�H^ƠT:�ޮ�R]k�
�2�S�˶0Zw
Wjڄ"b b7{\X3,#
t,>D4~Na+)WK�v3t�l}�5}�-foU�OLXV
��T�#!EX+LBYah�]s�V/
K?/|udA`'\qS�[�"�T��J}�ܑe
6Nl*IH�-qݻ(�Qܥ&�;oâ˘�_��� c����3H$6/`k��@0 !�P��TQ-W/#Ƃ]L��]LU)TO"nƛhC��{
h]>L,�,@��ЧCkzMV9ë#__$p�pW˳n)�nM�7+^&:&}G�DӻjZ)/KʗɈBŜ"K� k*�w%6�PU�3yr=ݯJUP56u�2�\�r�ďuf1[e�-&sctdK�(ssM��l\7�b Z �O��
�0wA�*}?*\E�IvSfn
Ϛ��� ?_ar_n{V9!���%u/FRiE�mT)玾ߓJt-ӄ>zB�bz�Q=Y�@r�v�jT
Gt2�R@BZFb.x|V
n�&,c
TٟsɚB�y_�I�CVj e&g+�,Ƹ @48&�o��ZU{�?" }M
��p�ف�|1tcϼ1�̶\fm~GW
u58;$�mS.�i9|LW�i_we�tz�vYl�E��F~_+Kx��fqh/R!)��X|xxђ:6?�pȾYMw $H��X�M��t�#fOԳ"ju.KW�m}:��8�.�dhX7��Nys!^>!#rhKV�KQ~\#{�R␅G!pUv*<��a�Sڎ6�N
#Z[?�0KwMT!mC@H}]WXzӱB3ZMUc |
E06vy8eU)R�2MD�Yk�.N�m�[O[�t�1ݻða�Ts d
ev�-m22uC%L<1CђL)dJHsQ8�z>RB&T
˓$-I^O eqj�i�e�ʒ��~I'i'1ۡ �Ҟۓ�_6/G8
(O�krwsq�^^߹n,D2z�L`~l)JZa"A|)J|
a9i� e!>�ewqJhI�g��+y-)EY-V6Y��;�Ã�hb&�y�xh= �($rHj-_e�VUkv{3B��qA6,p\?/<[|,�Mw[�v1CZ=r�}E��g q�W�}F�*��=G7o�6��2�}?F$c:�I"�I^U֫YdU)I�}YE㣑);8�{�xH_@Ɍ7CCҁ�W�-�3H�/�m3{F
_2}K�N7+{�Y<��`O�7��]f+wB&R6Zg%J}�qMԈ@k"kir<^Y8Z�䑼D�G۵%��t`�5o��14�Ll*z3=}v9[vÏ5&k� ?Q@.mvc鼱��2��>
AY#ؖrbL��d<�J��;�o�mܭn � B�;BJ��[ZQ%F}?^�Sϗ(t4Z<�qL~~+FY:ˬbQɇ�&L?�ul�r/g�;jD�yLw
`L~cۜ
y8>Y�Tm떣u�BI0�ت$\}���['5.C>W<":(?W
=i{�L�*xhG'$v
]�;NQ�DO�~ΨGS>e'=:]:���L�I;o��A.QP�-:]f���BgWx��#rG{YlY�쓷0@%�oV �ِ�%�̽�P[ϣw4]NbL(F#KFw2$g@}ZH )]T�os�K'-,�c$&_b'=~�/!R�+�FKAJJ�wXkȪB{.Fe�t�:M�S��\;]0�(�~�#W}zg[Qd`R?ۧiE/�T�/G��VqJM?�+d&(%SRE!W�HJB�- ��BVQ�urZ)UGZT.*#cs5N,�&l"T!i�q���G�JM?�,? >�T�J'�Sa�i7R_@_ZXB�qA%�*i܁��J��A*Hq�i(i<�qkŮ/�1_mX�p'Sυ^ByzR-UjjUɢư��Vf^4�Щ��@ti]2��sx.US%OԠO�Tj�ߺi�(H��ݖ�w iJfM!FD�N+7U�K!d" e3�OEF%dn"B�iµSVlf`�'\#�oooo�cvR(To̎E۴E@Ӿz�ʖ*1
tzn� pbnAxҵ-*�kb4_Q��fzV!5�`
${,5�6ͳj~y5p�%x ([RټC�L��u0}ܗNA���� �lPrZ6��D������r�!��pH_ i=� C�ޒ&^Z}n9{.9u$~נڲL_nA�o�:`OX~%s/�nXccҖCbM^q�hYByyS�U@)۶&1�'i�өKB�(Ҁs7C""�6`'/bac�6w�m&�ǽ9�}2
�{�5^�̖T�+8l9�Ëpe/Sǽ�%ΊL�
�w&QÊO��o��]GWZ�BTelI߇�+�#8⸶;y M�.7m�&
%BOY�AS%l2~roFoFoFoFyFՊ�j_Q5�ę�Rӣҹ;r�wf}AVf˰˓ĥk��E(K,9wkI%m/L7BorE��{}{a�?oX=l5E)=۾x�{}�4^8mPM0!S۷X�wlEa��<~�֍umz" ua�;Ae�g@bL&ՍË(ŝ?�$,u6zJZ,]mˬ7ҥg�&Z$9
�.P
9R{cˌ�EH'kStoB}~5Cgcck��O"w>�,ZviYޣ3Ą{��Zfy-�;`TZ֭&4��6� d&ph6��Fl���֒D(�&w�aqX36�o
c$*X)�gx�]&���pMzD�hlsZ���t',槯^m"Ҷj�8mqqi|g�iɀ{271l�L/�A1D+lZ�Gj�w �OQ41>��G=#;3�@//Fxqs�jl`14q*wo�>(k�ʁV=P�,�O���kNkiξC.t2B��ى)�!;Ooq':`��0)�̰.$o,v',N67`a�T['�긭�7v+.JjL\L�QhcJ�;*�5��?~/&�&Ȣ#>ybq1Kq)x�Q�)מ.O�ǁr[ܸ��$`(#_v�{§(ʊ�6^P|?�FwI�:^ۏo��ߖ�v�v�aDB(lh�F][�0o��L6D?ߋ""p�Z8���ʮ䀲�m*1v%1h=(CZPBZ]��U=�Ir9�ꚜrNn
@`b3
("l\M!/�q�/d1���q�y%�.{;���^P4o&A7{a�ʰ>FS�Y�h9c!nhcb9wj�\lc槐nZJӂ,nw)�do=7�:[c[��ges[`�ɣs#ԄVt{�pU)
*
PZ|�hQU8[dV7U�S#�z^E�GLϫ&@�\ϫlX=ijyb+'-{�x"(ͲNDpd:ydE_"@�'e?0�M7|"S1-Ь~6տ4,L�<�\Tn]w=jh�ܻDڤH�vjR>�m퐞�s��W�yjUS*ZZQ#� J>6�=]J#x&kM@COK&ړ{�z^{:>�9[�W-V]M5
�s tPm2�A��'}XC
@W�ݹHu+nl@G�[,lpBG�^ac�i*qwm[*{�y-h<#Թ���=-���ísP]LvuUh9mF6�q�Tbk
4�{t?�(W' �#n%�YZmIr &�kh�ЙԽ~#n�ZU{GКX9�t(�o[ɀ^P>'
:{ћrP�Z-*�Gw_
�6aVzGZq!G(i=xIn�fib�LIxc#�i3duH*+�_!ݰ�VI my7�R[�$yJZƮEH���&?�f�b�srѾ�U�-<,��yH��嵅Dp@F��`3e@:Xj�Y�
�{�3sأ4ϓ߁AR� Q�@Bb)q��(b�WE�$��@��4G4(lϏ�B6C�SJTn$`G:�_���fF��E-�.E.ӻ�q(MqWyFc@ 3+ fɻs��:YstT(ʁ�2<�0u��9��)s!aR;����g�֎�s�>U���!"�]sP�E9yF�H�~�WO@͌�2ґ�[V;#�O6�~N3�>?Bg\㬳95:th_'}h\dC;�5>3?C�<�~�o�..f�v3�t3Ӆw3�fg�賛Aȣ���2 ,#o.w3a|/2�".`.2Ư�e�!z _z��2>.eF+�C�C���
2o�H@_�3�J}'ߧ�]CuV:u�^C�_�]g_ry�қ�|ּą)��qFz)8ΠR�EV
SV:,.N3k!
g���z-22�B��~/�>{'sg+�I\W�KM0TtEٳKL썊c\o%m:v�ņB__�|
CG0V`=*,M5�\ڎvڝ{fm*63vf;�w�S췡\F<$ OC;�=v)��5�OK*WY8�n-
�ǡ�8{�yg�ZY)W8#a}3̾�^�E|x|f�Ŭ^`O�U8�uߚ�Qu8� %��
HM��3wNz?8�a㮨-g�WxJ
=�s�;ބ]<͡a[@R'b$VT+[-WJr=
�f��Dx��ã�*R%}e`R+�+���Q�ॾ���kaR�o視��y�a8b�n%k�]#DK(��x��XxKcE\x��c@VW��/��^"^�6�&ic�(<�;)�܁R>�K>@e^u+r1b)?�/yr�����L:Aņ�J/ib+F=_3��ڑ.&cw&viǝaƱrV�4oAA?v��k -*x�q�
yY�oY^^]�r
N* X627��kV{υep-�#2O,�5U,%w,B;P&GҗGX`/Cub)H�#�U^��F�˫!AO�ai�cc6Hm�\wvlC�k��:knԙe���$>}P.q�
sE�eב�e$*J =˵�L8̈́t�̱{?p��Fî/�� 9o9RJX`^璑̀t>u�>Kw텰�o�2���>:|L\�P(OP"��q}$!1b~s$��I!+K)~[%|F33��1F#qy]�� ,pd+$E�'��Chy�R2GD!᳠c�"=���(2m- e'�t�}7�{�
/Ik=G}k[Ve�ɄK�!8F>
�&/&�!#R�.ܐO�F�{d)0XP�y74w�oJ�ˤ`K��Lܖ�-|���0qGĶ2]|R4Upv�Rvc�����;93_Zmr�Φ(@P��9���-By�x��Ϸ[���<-v7
/FO�i(|��_a[P~Y��3JbA,\i�n2;6Ŗ�i#7|��@ }H ofة65`y�+@0�4G5-E6<=܈x~;ݾA�g�
�����3Hdx.X߫8mׁQ#iHWd�JM"î,:u` {];=��{&2kWfl`T�xq;3�h_90�|6,�l�p+>oc�7Ϗq�`h2[/~�/[[�KY'}d&GX�I@
qs,B�Mn4Mb5��"[]^Iidž�a�vX�5�|,@a)5z`��n~3�f18��rX�~F�Ō6�s~�ȝgz�`Z>�^��O��gW�эX�-�E'ZsR.)C39I��}�ɦ|GnԌnBa��v��L$g�8%�3�93|,/�A,T�/>% ow2b9���3I9~p�
_Y�Glp��7�X]r1^��1�@:mv;�K%D=Sw�
Q\�']fHJTq�O|?��I>b3uㆧ�7O>}hIaF�y遢&!Z4��!�lZɌxY`(X�8E�]h�\_1��*?[sˬZY$IL#;ov[�'-�U.kIM)V�[]jqC۹�g۲N�*d%r�R�[W3EiQ}&'�Cfcnm߄;6�6BJFslx�6�1��G/P+��
|
Network Security & Hardware 
